Jump to content

Possible Mining Trojan


Recommended Posts

Hello, during the last couple days, I've either gotten some spam mails I opened trusting MBAV (yeah I know) - or had some weird stuff such as a Localhost: 9000 page open while viewing uh, the kind of material I'd be ashamed to speak about in here. Double time's charm indeed. Anyway, after these have happened; During night time, today I noticed my MB wasn't working at all. The whole day, no service, no nothing. It closed itself, and when I tried to re-open, I couldn't get the icon in the right bottom bar and some other stuff at first. Even when I re-tried. In the meanwhile, I've also had seen several fishy sounding apps down task manager. One of them was called "Aliyunwrap.exe", the other was processprotect and one or two others... I Googled the former, and it came up with results about wrap.exe / a wrapper which seems to run miners on PCs. While I was doing these, I further noticed my dwm.exe was going from %30 to %70 and to all the way up to %100 on GPU usage. Consistently, as if it's never going to stop fluctuating. It still does this regardless of whether my ethernet cable is plugged in or not.

Ultimately I came to the conclusion that I've been infected with a miner, if not several more stuff. Another Google search told me that MB can't find an infection in this wrap.exe or some other thing. I checked this file's virustotal result, which showed that Nod32 finds the virus that is it. Later, I downloaded Nod32 but that didn't find anything either.

What gives? Should I boot to safe mode with Adw or something and do a scan, post the logs here? That method, can somebody walk me through it?

Link to post
Share on other sites

  • Root Admin

Hello @johnnydoe

As I recommended a couple years ago, please run the following routine and we'll check out your computer.

 

 

Please run the following steps and post back the logs as an attachment when ready.
Temporarily disable your antivirus or other security software first. Make sure to turn it back on once the scans are completed.
Temporarily disable Microsoft SmartScreen to download software below if needed. Make sure to turn it back on once the scans are completed.
If you still have trouble downloading the software please click on Reveal Hidden Contents below for examples of how to allow the download.

 

Spoiler
 
 
 
 
Spoiler

When downloading with some browsers you may see a different style of screens that may block FRST from downloading. The program is safe and used hundreds of times a week by many users.

Example of Microsoft Edge blocking the download

image.png

image.png

image.png

 



STEP 01

  • If you already have Malwarebytes installed then open Malwarebytes and click on the Scan button. It will automatically check for updates and run a Threat Scan.
  • If you don't have Malwarebytes installed yet please download it from here and install it.
  • Once installed then open Malwarebytes and select Scan and let it run.
  • Once the scan is completed make sure you have it quarantine any detections it finds.
  • If no detections were found click on the Save results drop-down, then the Export to TXT  button, and save the file as a Text file to your desktop or other location you can find and attach that log on your next reply.
  • If there were detections then once the quarantine has completed click on the View report button, Then click the Export drop-down, then the Export to TXT  button, and save the file as a Text file to your desktop or other location you can find and attach that log on your next reply.
  • If the computer restarted to quarantine you can access the logs from the Detection History, then the History tab. Highlight the most recent scan and double-click to open it. Then click the Export drop-down, then the Export to TXT  button, and save the file as a Text file to your desktop or other location you can find and attach that log on your next reply.
  • If Malwarebytes won't run then please skip to the next step and let me know in your next reply that the scanner would not run.

STEP 02

Please download AdwCleaner by Malwarebytes and save the file to your Desktop.

  • Double-click to run the program
  • Accept the End User License Agreement.
  • Wait until the database is updated.
  • Click Scan Now.
  • When finished, if items are found please click Quarantine.
  • Your PC should reboot now if any items were found.
  • After reboot, a log file will be opened. Attach or Copy its content into your next reply.

RESTART THE COMPUTER Before running Step 3

STEP 03
Please download the Farbar Recovery Scan Tool and save it to your desktop.

Note: You need to run the version compatible with your system. You can check here if you're not sure if your computer is 32-bit or 64-bit

  • Double-click to run it. When the tool opens, click Yes to disclaimer.
  • Press the Scan button.
  • It will make a log (FRST.txt) in the same directory the tool is run. Please attach it to your reply.
  • The first time the tool is run, it also makes another log (Addition.txt). If you've, run the tool before you need to place a check mark here each time
  • Please attach the Additions.txt log to your reply as well.
  • On your next reply, you should be attaching frst.txt and additions.txt to your post, every time.

 

Thanks

Link to post
Share on other sites

When I read that MB does not find this particular mining virus on Virustotal, as I mentioned before I went ahead and installed Nod32 trial. As was expected, it told me to uninstall MB to not have multiple AVs working concurrently. However, my experience with Nod32 was less than good. It didn't do anything up until online activation (there's no offline route) and the scan couldn't access a little over 100 files. I don't know if this is to be concerned or not, or whether you would know something about it (there are posts on their forum saying it's normal). It also doesn't seem to install down safe mode due to this activation thing. 

I just re-installed MB offline trial, and I noticed the issue has gotten more severe. I can't connect to the Internet at all. Plugging in my ethernet cable doesn't seem to connect me, and I'm typing this from another PC connected to the same network. Malwarebytes doesn't find anything btw, I checked finding rootkits, etc, though still no avail. The file of log txt included as attachment.

Thanks for the help.

MBAV log.txt

Link to post
Share on other sites

  • Root Admin

Please save this program to the affected computer, run it. Then post back both logs. @johnnydoe

 

Please do the following so that we can get started and see what's going on.


The Farbar Recovery Scan Tool is a free Windows utility designed to create troubleshooting logs for your computer. These logs help our Support team to identify and resolve issues with your computer.

There are two versions of the Farbar Recovery Scan Tool available for download: 32-bit and 64-bit.
To find which operating system is installed on your computer, refer to Microsoft's article: 32-bit and 64-bit Windows: Frequently asked questions

Download and launch Farbar Recovery Scan Tool

  1. Download the Farbar Recovery Scan Tool
    Do not click on any Ads.
     
  2. Locate the file you downloaded on your computer.
    Downloaded files are often saved to the Downloads folder.
     
  3. Double-click the downloaded file to run the Farbar Recovery Scan Tool.

    DOC-1318-1.png
     
  4. Windows protected your PC notification may appear. This notification is from the Windows Defender SmartScreen Filter which prevents unfamiliar apps from running on your PC.
    Disable smart screen ONLY if it interferes with software we may have to use:  What is SmartScreen and how can it help protect me?

         a.  Click More info.

    https://support.malwarebytes.com/hc/article_attachments/360051190254/DOC-1318-2.png
         b.  Click Run anyway.

    https://support.malwarebytes.com/hc/article_attachments/360051190294/DOC-1318-3.png
  5. When the User Account Control window appears, click Yes.

    image.png

     
  6. To accept the Disclaimer of warranty, click Yes.

    image.png

     
  7. Ensure only the boxes listed below are checked

    image.png

    Registry  Services  Drivers
    Processes  Internet  One month
    Addition.txt

    image.png

     

  8. Disable any Antivirus software you have installed ONLY if it stops software we may use from working.
    Please remember to re-enable any Antivirus software when we are finished running scans

    Click Scan. The scan may take a few minutes to complete.

    image.png
     

  9. When the scan completes, Farbar Recovery Scan Tool shows two messages:

  • Scan completed. FRST.txt is saved in the same directory FRST is located.

    image.png

  • Addition.txt is saved in the same directory FRST is located.

    image.png
     

  • Click OK to close each message window

 

Please attach both of those logs on your next reply, DO NOT copy/paste the contents of the logs directly

https://content.invisioncic.com/Mmalware/monthly_2018_10/_mb_attach.jpg.dbd89b8e360d3763b3bbe33ce83d680d.jpg

 

 

Thanks

 

 

Link to post
Share on other sites

As I've been researching high dwm usage, one Reddit post said that it could be because of too new of a display driver compared to the one Microsoft signs on their updated Windows versions. Rolled it back and dwm.exe went back to %0-3. All good, I don't think I might have even been infected in the first place as both Nod32 and MB found nothing, and the wrapper could simply have been for the data recovery software. You can close the thread, thanks for the help.

Link to post
Share on other sites

  • Root Admin

Please uninstall the following and restart the computer. @johnnydoe

AVG TuneUp
 

 

 

Then restart the computer and run the following

 

Microsoft Safety Scanner

Please make sure you Exit out of any other program you might have open so that the sole task is to run the following scan.   
That goes especially for web browsers, make sure all are fully exited out of and messenger programs are exited and closed as well
 

STEP 1

Please set File Explorer to SHOW ALL folders, all files, including hidden ones.  Use OPTION ONE or TWO of this article

https://www.tenforums.com/tutorials/7078-turn-off-show-all-folders-windows-10-navigation-pane.html

STEP 2

I suggest a new scan for viruses & other malware. This may take several hours, depending on the number of files on the system and the speed of the computer.

The Microsoft Safety Scanner is a free Microsoft stand-alone virus scanner that can be used to scan for & remove malware or potentially unwanted software from a system. 

The download links & the how-to-run-the tool are at this link at Microsoft 

https://docs.microsoft.com/en-us/windows/security/threat-protection/intelligence/safety-scanner-download

 

Look on the Scan Options & select the FULL scan.

Then start the scan. Have lots of patience. It may take several hours.

  • Once you see it has started, take a long long break;  walk away.  Do not pay credence if you see some intermediate early flash messages on the screen display.  The only things that count are the End result at the end of the run.
  • The scan will take several hours.  Leave it alone. It will remove any other remaining threats as it goes along.  Take a very long break, do your normal personal errands .....just do not use the computer during this scan.

This is likely to run for many hours as previously mentioned  ( depending on the number of files on your machine & the speed of the hardware.)

The log is named MSERT.log  and the log will be at C:\Windows\debug\msert.log

Please attach that log with your next reply.

 

 

It is normal for the Microsoft Safety Scanner to show detections during the scan process. It is scanning for basically all bread crumbs or traces of files and registry entries that "might" be or have been part of some infection or previous infection.

That DOES NOT mean the computer is infected. Once the scan has been completed it uploads the log to their Cloud service which then uses Artificial Intelligence to determine if in fact any of the traces are an infection or not.

Then it writes into the log on your computer what it found.

 

 

Link to post
Share on other sites

Are we sure this is necessary? I know the driver updater of AVG leads to some crap stuff like breaking the PC, but Tune Up has been working decently for cleaning up the Windows dump files after updates. I buy / sub to it always to keep my SSD clean because I'm living with a very fast but limited storage primary drive (900P 280 PCI-E stick), and it's being beneficial. Would require further confirmation before I go about doing all those steps because the PC seems to be working perfectly right now.

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.